F13: nautilus & mmap

Daniel J Walsh dwalsh at redhat.com
Tue Dec 14 22:47:37 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/14/2010 05:02 PM, Daniel B. Thurman wrote:
> 
> Not sure what this means, but it sound omimous...
> Using the latest updates.
> 
> ==================================================
> Summary:
> 
> Your system may be seriously compromised! /usr/bin/nautilus (deleted)
> attempted
> to mmap low kernel memory.
> 
> Detailed Description:
> 
> SELinux has denied the nautilus the ability to mmap low area of the kernel
> address space. The ability to mmap a low area of the address space, as
> configured by /proc/sys/kernel/mmap_min_addr. Preventing such mappings helps
> protect against exploiting null deref bugs in the kernel. All
> applications that
> need this access should have already had policy written for them. If a
> compromised application tries modify the kernel this AVC would be generated.
> This is a serious issue. Your system may very well be compromised.
> 
> Allowing Access:
> 
> Contact your security administrator and report this issue.
> 
> Additional Information:
> 
> Source Context               
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                               023
> Target Context               
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                               023
> Target Objects                None [ memprotect ]
> Source                        nautilus
> Source Path                   /usr/bin/nautilus (deleted)
> Port                          <Unknown>
> Host                          (removed)
> Source RPM Packages          
> Target RPM Packages          
> Policy RPM                    selinux-policy-3.7.19-74.fc13
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Plugin Name                   mmap_zero
> Host Name                     (removed)
> Platform                      Linux <host>.<domain>.com
> 2.6.34.7-61.fc13.i686 #1 SMP
>                               Tue Oct 19 04:42:47 UTC 2010 i686 i686
> Alert Count                   1186
> First Seen                    Thu 09 Dec 2010 12:08:59 PM PST
> Last Seen                     Thu 09 Dec 2010 12:13:09 PM PST
> Local ID                      aba9eed1-e6cf-48cb-80c4-88ccf2d90f43
> Line Numbers                 
> 
> Raw Audit Messages           
> 
> node=<host>.<domain>.com type=AVC msg=audit(1291925589.462:92406): avc: 
> denied  { mmap_zero } for  pid=26679 comm="nautilus"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect
> 
> node=<host>.<domain>.com type=SYSCALL msg=audit(1291925589.462:92406):
> arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=a000 a2=3 a3=22
> items=0 ppid=2663 pid=26679 auid=500 uid=500 gid=500 euid=500 suid=500
> fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="nautilus"
> exe=2F7573722F62696E2F6E617574696C7573202864656C6574656429
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
Only apps we know of that need this are wine and vbetool.  Are you
running some proprietary X Drivers?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0H9AkACgkQrlYvE4MpobOXhgCcDRF2sOLhDbKaiNy4rN05GBvW
jSMAn05xePRtBqjnK+zl2guOkJnwaRvw
=OMyp
-----END PGP SIGNATURE-----

More information about the selinux mailing list